| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Webhook alert action sample in OMS Log Analytics | Microsoft Docs |
One of the actions you can run in response to a Log Analytics alert is a *webhook*, which allows you to invoke an external process through a single HTTP request. This article walks through an example of creating a webhook action in a Log Analytics alert using Slack. |
log-analytics |
bwren |
jwhit |
tysonn |
13c39f0f-fd3c-472d-8324-ddf7538be45e |
log-analytics |
na |
article |
na |
infrastructure-services |
02/27/2017 |
bwren |
One of the actions you can run in response to a Log Analytics alert is a webhook, which allows you to invoke an external process through a single HTTP request. You can read about details of alerts and webhooks in Alerts in Log Analytics
In this article, we’ll walk through an example of creating a webhook action in a Log Analytics alert using Slack which is a messaging service.
Note
You must have a Slack account to complete this sample. You can sign up for a free account at slack.com.
-
Sign in to Slack at slack.com.
-
Select a channel in the Channels section in the left pane. This is the channel that the message will be sent to. You can select one of the default channels such as general or random. In a production scenario, you would most likely create a special channel such as criticalservicealerts.
-
Click Add an app or custom integration to open the App Directory.
-
Type webhooks into the search box and then select Incoming WebHooks.
-
Click Install next to your team name.
-
Click Add Configuration.
-
Select the the channel that you're going to use for this example, and then click Add Incoming WebHooks integration.
-
Copy the Webhook URL. You'll be pasting this into the Alert configuration.
-
Create an alert rule with the following settings.
- Query:
Type=Event EventLevelName=error - Check for this alert every: 5 minutes
- The number of results is: greater than 10
- Over this time window: 60 minutes
- Select Yes for Webhook and No for the other actions.
- Query:
-
Paste the Slack URL into the Webhook URL field.
-
Select the option to include a custom JSON payload.
-
Slack expects a payload formatted in JSON with a parameter named text. This is the text that it will display in the message it creates. You can use one or more of the alert parameters using the # symbol such as in the following example.
{ "text":"#alertrulename fired with #searchresultcount records which exceeds the over threshold of #thresholdvalue ." }
-
Click Save to save the alert rule.
-
Wait sufficient time for an alert to be created and then check Slack for a message which will be similar to the following.
You can extensively customize inbound messages with Slack. For more information, see Incoming Webhooks on the Slack website. Following is a more complex payload to create a rich message with formatting:
{
"attachments": [
{
"title":"OMS Alerts Custom Payload",
"fields": [
{
"title": "Alert Rule Name",
"value": "#alertrulename"},
{
"title": "Link To SearchResults",
"value": "<#linktosearchresults|OMS Search Results>"},
{
"title": "Search Interval",
"value": "#searchinterval"},
{
"title": "Threshold Operator",
"value": "#thresholdoperator"},
{
"title": "Threshold Value",
"value": "#thresholdvalue"}
],
"color": "#F35A00"
}
]
}
This would generate a message in Slack similar to the following.
With this alert rule in place, you would have a message sent to Slack every time the criteria is met.
This is only one example of an action that you can create in response to an alert. You could create a webhook action that calls another external service, a runbook action to start a runbook in Azure Automation, or an email action to send a mail to yourself or other recipients.
- Learn about other alert actions in Log Analytics including other actions.